Securing communications using 3rd Party Certificates

Every Enterprise has the necessity to encrypt the data which traverses the internet. Using secured communication has not proved to be the most secure way to transmit corporate data, so enterprises have gone a step ahead to get specific third party certificates like SSL, PFX etc. These third party certificates ensures that the corporate data is encrypted in such a way, that only the recipient who owns the certificate can decrypt it. Vulnerability Manager Plus supports using SSL and PFX certificates. Adding these certificates to Vulnerability Manager Plus will secure the communication between the Vulnerability Manager Plus server and managed computers.

 
  • This certificate is valid for a specified term. If the certificate expires, then the communication between the Vulnerability Manager Plus agent and the server will no longer be secure.

Follow the steps mentioned below to create/renew and upload 3rd Party Certificates:

  1. Create CSR and Key Files
  2. Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate
  3. Upload the 3rd party Certificates to Vulnerability Manager Plus

1. Create CSR and Key Files

For Vulnerability Manager Plus version 11.1.2242.01 and above, 

  1. It is recommended to take a backup of your existing server.key and server.csr file before initiating this process. These files will be overwritten during this process.
  2. Navigate to <Server_Installed_Directory>/bin in command prompt with admin privileges and execute generateCSR.bat file.
  3. generateCSR.bat executes two operations: 
    • Creating the .csr and .key files 
    • Decrypting .key files 
  4. Enter 1 to proceed with .csr and .key file generation.
  5. Enter the country code by referring to this document. [Note: Re-run the batch file if you entered the wrong country code]
  6. Enter the necessary details for generating the .csr file. [State, locality, organization, organizational unit, common name, subject alternative names(seperated by commas)]   
  7. You have successfully generated the server.csr and server.key file. 

For Vulnerability Manager Plus version below 11.1.2242.01

    1. Navigate to server installation directory and access \bin.
    2. Run the command generateCSR.bat using administrator command prompt.
    3. Now, in the displayed prompts, enter the two letter Country Code next to countryName. Check the two letter country code of your country here.
    4. Next to localityName, enter the name of your locality. Specify the name of your organization, next to organizationName.
    5. Enter the name of your website or domain beside commonName. The FQDN of the web server (the host name), that is going to receive the certificate, is the Common Name. Do not include the following details while entering the Common Name:
      -> protocol (http:// or https://)
      -> port numbers or pathnames
    6. Enter the Subject Alternative Name (SAN) of your website. You must press enter by leaving a space to end the command execution.
      Here is an example :-
      *.domain.com
      manageengine.com
      ems.com
      desktopcentral.com
    1. Files named server.csr and private.key are created and placed under server installation directory\bin directory.
    1. Navigate to server installation directory and access \UEMS_server\apache\bin, create a file named opensslsan.conf, and copy the following code into the file:

      [ req ]
      prompt=no
      default_bits = 2048
      distinguished_name = req_distinguished_name
      req_extensions = req_ext
      [ req_distinguished_name ]
      countryName =
      stateOrProvinceName =
      localityName =
      organizationName =
      commonName =
      [ req_ext ]
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 =
      DNS.2 =
      DNS.3 = 

    2. Now, in the code, enter the two letter Country Code next to countryName. Check the two letter country code of your country here.
    3. Next, enter the full name of your state or province next to stateOrProvinceName.
    4. Next to localityName, enter the name of your locality. Specify the name of your organization, next to organizationName.
    5. Enter the name of your website or domain beside commonName. The FQDN of the web server (the host name), that is going to receive the certificate, is the Common Name. Do not include the following details while entering the Common Name:
      -> protocol (http:// or https://)
      -> port numbers or pathnames
    6. Enter the Subject Alternative Name (SAN) of your website next to DNS.1, DNS.2, etc. in the code one by one. You can have many SAN for a single certificate. You can add more SAN by adding DNS.4, DNS.5, and so on, at the end of the code. Here is an example:

      [ req ]
      prompt=no
      default_bits = 2048
      distinguished_name = req_distinguished_name
      req_extensions = req_ext
      [ req_distinguished_name ]
      countryName = IN
      stateOrProvinceName = TN
      localityName = Chennai
      organizationName = ZOHO
      commonName = www.zoho.com
      [ req_ext ]
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 = *.domain.com
      DNS.2 = manageengine.com
      DNS.3 = ems.com
      DNS.4 = desktopcentral.com

    7. Save the file, go to command prompt, and navigate to server installation directory and access \UEMS_server\apache\bin directory.
    8. Execute openssl.exe req -out server.csr -newkey rsa:2048 -nodes -keyout private.key -config opensslsan.conf command.
    9. Files named server.csr and private.key are created. 
    10. To verify the details, use openssl.exe req -in server.csr -noout -text -config ..\conf\openssl.cnf command.

Note: Do not delete private.key file under any circumstances.

2.Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate

  1. Submit created server.csr to CAs. Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  2. This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's chain/intermediate certificate as .cer files
  3. Save these files and rename your signed SSL certificate file to server.crt .

Note: The validity of the certificate should be less than 397 days.

3.Upload the 3rd party Certificates to Vulnerability Manager Plus

  1. Click Admin tab on Vulnerability Manager Plus console
  2. Under Global Settings , click Import SSL Certificates
  3. Browse to upload the certificate that you have received from the vendor (CA). The certificate will be .crt format for SSL and in pfx format for PFX certificates
    1. If you upload a .crt file, then you will be prompted to upload the server.key file.  After uploading the sever.key, you will be prompted to upload the intermediate certificate. If you choose Automatic ,then the intermediate certificate will be detected automatically. However when the intermediate certificate is detected automatically , only one certificate will be detected. If you wanted to use your own intermediate certificate, or upload more than one intermediate certificate, then you need to choose Manual , and upload them manually.
    2. If you choose to upload a .pfx file, then you will be prompted to enter the password provided by the vendor.
  4. Click Save to import the certificate.

You have successfully imported the third party certificates to Vulnerability Manager Plus server. These certificates will be used only when HTTPS mode is enabled for communication. Click Admin tab and choose Server Settings, to enable Https mode under General Settings. You can now see that the communication between the Vulnerability Manager Plus Server and the agents is secure.

 

Ensure that the pfx file or .cert file should match the NAT address specified in the Vulnerability Manager Plus server. If Vulnerability Manager Plus and ServiceDesk Plus server are installed in the same computer, then the same pfx file will work. In the above listed case, if ServiceDesk Plus server is moved to a different computer, then the pfx needs to be modified to specify the appropriate host name.